Phishing used to be a comedy of errors. "Dear Costumer," a logo stretched into abstract art, a prince with a temporary cash-flow problem. We trained a whole generation to spot bad spelling and move on. Then large language models learned flawless grammar in about eighteen months, and the single easiest tell in the history of security awareness vanished overnight.
Modern phishing is fluent, formatted, and personal. An attacker can scrape a LinkedIn profile, hand it to a model, and generate a note that references your real manager, your real project, and your real writing style – for a fraction of a cent. The economics flipped. Being convincing used to be expensive. Now it's free.
So we stop teaching people to hunt for mistakes, and start teaching them to verify context. Here are five tells that still hold up.
How the game changedLink to this section
| The 2018 scam | The 2026 scam | |
|---|---|---|
| Grammar | Broken | Flawless |
| Targeting | Spray and pray | Researched, individual |
| Cost to produce | Hours of effort | Cents per message |
| Voice and video | Rare | Cloned in minutes |
The takeaway lives in the bottom row. The newest attacks aren't even text. A thirty-second voicemail of your CEO is enough raw material to clone their voice and call your finance team. "Spot the typo" was never going to survive that.
The five red flags worth teachingLink to this section
1. It's too polished to be humanLink to this section
Real colleagues ramble. They fat-finger words on their phone, they forget the attachment, they say "lol" in a sentence about a budget. AI-written lures are polite, structured, and just slightly formal. If a message reads like it was copy-edited by a stranger, slow down.
2. The link doesn't match the storyLink to this section
The email name-drops SharePoint; the URL goes somewhere else entirely. AI can write a beautiful pretext, but it can't change where a link actually points. Hover before you click – every time, including on mobile, where the real destination loves to hide.
3. Manufactured urgencyLink to this section
"Action required within the hour," with no ticket number, no project, and no reason you'd be involved. Attackers invent deadlines because deadlines bypass judgement. Genuine urgency almost always comes with context you can verify.
4. The channel is subtly wrongLink to this section
Your CFO doesn't approve invoices over WhatsApp. Your IT team doesn't ask for MFA codes by text. A voice that sounds like your boss is now trivial to fake, so the rule is simple: for anything involving money, access, or data, verify on a different channel than the one the request arrived on.
5. It asks you to break a processLink to this section
This is the tell that survives everything else. The message wants you to skip a step – pay outside the normal system, bypass an approval, share a code "just this once." AI made the wrapper perfect, but the ask is still the same old ask. Process exists precisely so that "just this once" is a red flag, not a favour.
The defence is a verb, not a posterLink to this section
The strongest phishing control isn't a product. It's a team that says "this felt weird" out loud, early, and without embarrassment.
A workforce that reports suspicious mail gives you early warning on live campaigns. A workforce that quietly deletes it – or worse, quietly clicks and says nothing – gives you a breach you find out about later. The difference between those two cultures is almost entirely about how you treated the last person who got it wrong.
Your next 30 daysLink to this section
- Swap "spot the typo" training for "verify the context" training.
- Make reporting a one-click action, and thank every single report.
- Run a simulation that uses a real internal scenario, then debrief without naming names.
- Add an out-of-band verification rule for payments and access changes – and tell people it's there to protect them, not to slow them down.
The attackers upgraded their tooling. The good news is that the human controls that beat them – curiosity, verification, and a team that talks – got cheaper to run, not harder.